Monday, December 14, 2015

How to find out AES-NI (Advanced Encryption) Enabled on Linux System

The Intel Advanced Encryption Standard
(AES) or New Instructions (AES-NI) engine enables extremely fast
hardware encryption and decryption for openssl, ssh, vpn, Linux/Unix/OSX
full disk encryption and more. How do I check support for Intel or AMD
AES-NI is loaded in my running Linux in my Linux based system including
openssl? The Advanced Encryption
Standard Instruction Set (or the Intel Advanced Encryption Standard New
Instructions - "AES-NI") allows certain Intel/AMD and other CPUs to do
extremely fast hardware encryption and decryption. "AES-NI" is an
extension to the x86 instruction set architecture for microprocessors
from Intel and AMD. It increases the speed of apps performing encryption
and decryption using the AES. Several server and laptop vendors have
shipped BIOS configurations with the AES-NI extension disabled. You may
need a BIOS update to enable them or change the BIOS settings. The
following CPUs are supported:

VIA PadLock (a different instruction set than Intel AES-NI but does the same thing at the end of the day).

ARM - selected Allwinner and Broadcom using security processor. There are few more ARM based processor.

Please
note that the AES-NI support is automatically enabled if the detected
processor is among the supported list as above. For a list of processors
that support the AES-NI engine, see Intel ARK/AMD/ARM (vendor)/VIA
padlock site and documentation.

How do I find out that the processor has the AES/AES-NI instruction set?

To find out cpu type and architecture type:# lscpu Type the following command to make sure that the processor has the AES instruction set and enabled in the BIOS:# grep -o aes /proc/cpuinfo OR# grep -m1 -o aes /proc/cpuinfo Sample outputs:

Fig.01: Linux Verify That Processor/CPU Has the AES-NI Instruction

The aes output indicates that I have the AES-NI support enabled by Linux.

How do I verify that all my CPU supports AES NI?

The output of the following two commands should be same:# lscpu | grep '^CPU(s):'32 And:# grep -o aes /proc/cpuinfo | wc -l32